-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trust CAs injected via VAULT_CACERT as S3 target for vault helm chart #28010
Comments
I figured out a (dirty) way using ubi images without using root rights.
|
Having the same issue but using helm charts. For me it's quite funny that setting up the vault as a Root CA issuing cert to a keycloakserver that you then want to create a oidc client to authenticate against.. The vault does not even trust it own cert. And no easy way to get it to either... silly having to create a separate image FROM hashi/vault :-) |
Is your feature request related to a problem? Please describe.
Currently there is no option to inject a self signed ca for using it as s3 snapshot target. Vault already has the option to inject a CA using the envVar VAULT_CACERT. However, this CA is not injected into the trust store of the image but only used for the Vault application. So there is no native option to specify the s3 ca. This isn't a problem if using a public s3 storage like aws or gcp, but if you're using your own s3 storage with a private ca, there is no option for it.
Describe the solution you'd like
That the content of VAULT_CACERT get injected into the system image, so that the s3 client is trusting the self signed injected ca. If the env var could not be used for this purpose there should be another var for this purpose.
Describe alternatives you've considered
Fork the vault image and do injection there or use an initContainer. There is no documentation about it and both solutions are associated with more complex maintenance
Explain any additional use-cases
Additional context
The text was updated successfully, but these errors were encountered: